$OpenBSD: patch-sysdep_bsd_setkey_h,v 1.2 2017/03/03 00:05:38 sthen Exp $

- the local address must be configured in config file
- uses hardcoded SPI (same for each direction); see comments


--- sysdep/bsd/setkey.h.orig	Thu Dec 22 22:53:39 2016
+++ sysdep/bsd/setkey.h	Fri Mar  3 00:03:24 2017
@@ -8,12 +8,24 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <net/pfkeyv2.h>
+
+#ifdef __OpenBSD__
+#include <netinet/ip_ipsp.h>
+#else
 #include <netipsec/ipsec.h>
+#endif
 
 #include "nest/bird.h"
 #include "lib/unix.h"
 
+#ifndef PFKEY_ALIGN8
+#define	PFKEY_ALIGN8(a) (1 + (((a) - 1) | (8 - 1)))
+#endif
 
+#ifndef PFKEY_UNIT64
+#define	PFKEY_UNIT64(a)		((a) >> 3)
+#endif
+
 /*
  * Open a socket for manage the IPsec SA/SP database entries
  */
@@ -40,6 +52,7 @@ setkey_send(struct sadb_msg *msg, uint len)
   if (msg->sadb_msg_type == SADB_ADD)
   {
     /* Delete possible current key in the IPsec SA/SP database */
+    /* XXX use SA_UPDATE here on OpenBSD? */
     msg->sadb_msg_type = SADB_DELETE;
     send(s, msg, len, 0);
     msg->sadb_msg_type = SADB_ADD;
@@ -71,7 +84,9 @@ setkey_md5(sockaddr *src, sockaddr *dst, char *passwd,
     sizeof(struct sadb_msg) +
     sizeof(struct sadb_key) + PFKEY_ALIGN8(passwd_len) +
     sizeof(struct sadb_sa) +
+#ifndef __OpenBSD__
     sizeof(struct sadb_x_sa2) +
+#endif
     sizeof(struct sadb_address) + PFKEY_ALIGN8(src->sa.sa_len) +
     sizeof(struct sadb_address) + PFKEY_ALIGN8(dst->sa.sa_len);
 
@@ -90,6 +105,9 @@ setkey_md5(sockaddr *src, sockaddr *dst, char *passwd,
   msg->sadb_msg_pid = getpid();
   pos += len;
 
+#ifdef __OpenBSD__
+if (type != SADB_DELETE) {
+#endif
   /* Set authentication algorithm and password */
   struct sadb_key *key = (void *) pos;
   len = sizeof(struct sadb_key) + PFKEY_ALIGN8(passwd_len);
@@ -98,31 +116,50 @@ setkey_md5(sockaddr *src, sockaddr *dst, char *passwd,
   key->sadb_key_bits = passwd_len * 8;
   memcpy(pos + sizeof(struct sadb_key), passwd, passwd_len);
   pos += len;
+#ifdef __OpenBSD__
+}
+#endif
 
   struct sadb_sa *sa = (void *) pos;
   len = sizeof(struct sadb_sa);
   sa->sadb_sa_len = PFKEY_UNIT64(len);
   sa->sadb_sa_exttype = SADB_EXT_SA;
+#ifdef __OpenBSD__
+  sa->sadb_sa_auth = SADB_AALG_MD5HMAC;
+  sa->sadb_sa_state = SADB_SASTATE_MATURE;
+
+  /*
+   * XXX  Before adding the SA we should use SADB_GETSPI to reserve/fetch
+   *      an SPI (call it with src/dest addresses). This spi should be stored
+   *      and used for SADB_ADD/UPDATE and stored to use for later SADB_DELETE.
+   */
   sa->sadb_sa_spi = htonl((u32) TCP_SIG_SPI);
+#else
   sa->sadb_sa_auth = SADB_X_AALG_TCP_MD5;
-  sa->sadb_sa_encrypt = SADB_EALG_NONE;
   sa->sadb_sa_flags = SADB_X_EXT_CYCSEQ;
+  sa->sadb_sa_spi = htonl((u32) TCP_SIG_SPI);
+#endif
+  sa->sadb_sa_encrypt = SADB_EALG_NONE;
   pos += len;
 
+#ifndef __OpenBSD__
   struct sadb_x_sa2 *sa2 = (void *) pos;
   len = sizeof(struct sadb_x_sa2);
   sa2->sadb_x_sa2_len = PFKEY_UNIT64(len);
   sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
   sa2->sadb_x_sa2_mode = IPSEC_MODE_ANY;
   pos += len;
+#endif
 
   /* Set source address */
   struct sadb_address *saddr = (void *) pos;
   len = sizeof(struct sadb_address) + PFKEY_ALIGN8(src->sa.sa_len);
   saddr->sadb_address_len = PFKEY_UNIT64(len);
   saddr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+#ifndef __OpenBSD__
   saddr->sadb_address_proto = IPSEC_ULPROTO_ANY;
   saddr->sadb_address_prefixlen = MAX_PREFIX_LENGTH;
+#endif
   memcpy(pos + sizeof(struct sadb_address), &src->sa, src->sa.sa_len);
   pos += len;
 
@@ -131,8 +168,10 @@ setkey_md5(sockaddr *src, sockaddr *dst, char *passwd,
   len = sizeof(struct sadb_address) + PFKEY_ALIGN8(dst->sa.sa_len);
   daddr->sadb_address_len = PFKEY_UNIT64(len);
   daddr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+#ifndef __OpenBSD__
   daddr->sadb_address_proto = IPSEC_ULPROTO_ANY;
   daddr->sadb_address_prefixlen = MAX_PREFIX_LENGTH;
+#endif
   memcpy(pos + sizeof(struct sadb_address), &dst->sa, dst->sa.sa_len);
   pos += len;
 
@@ -160,11 +199,19 @@ sk_set_md5_in_sasp_db(sock *s, ip_addr local, ip_addr 
 
     if (setkey_md5(&src, &dst, passwd, SADB_ADD) < 0)
       ERR_MSG("Cannot add TCP-MD5 password into the IPsec SA/SP database");
+#ifdef __OpenBSD__
+    if (setkey_md5(&dst, &src, passwd, SADB_ADD) < 0)
+      ERR_MSG("Cannot add TCP-MD5 password into the IPsec SA/SP database #2");
+#endif
   }
   else
   {
     if (setkey_md5(&src, &dst, NULL, SADB_DELETE) < 0)
       ERR_MSG("Cannot delete TCP-MD5 password from the IPsec SA/SP database");
+#ifdef __OpenBSD__
+    if (setkey_md5(&dst, &src, NULL, SADB_DELETE) < 0)
+      ERR_MSG("Cannot delete TCP-MD5 password from the IPsec SA/SP database #2");
+#endif
   }
   return 0;
 }
